New Features Discovered in Windows XP SP3: Is It Better Than Vista?

The principal reason given for the tremendous under-the-hood changes to Windows unveiled early this year in Vista was the need to overhaul the security model. Indeed, Vista has proven to be a generally more secure operating system, though some vulnerabilities that apply to ordinary software impact Vista users just as much as any other.

But now, software analysts testing the latest build 3205 of the beta for Windows XP Service Pack 3 are discovering a wealth of genuinely new features - not just patches and security updates (although there are literally over a thousand of those), but services that could substantially improve system security without overhauling the kernel like in Vista.

One of these features had actually been on Microsoft's list for some time, and might actually have caused problems for customers had it been omitted: Network Access Protection (NAP), which is due to be managed by the forthcoming Windows Server 2008. This new service disallows network clients from accessing a WS2K8 server without passing a minimum "health screening," which checks for the presence of updates and service packs (including SP3) and disallows access to failing clients until they upgrade.

When NAP's inclusion in WS2K8 was first confirmed in late August, a Microsoft spokesperson contacted BetaNews to make sure we reported it wasn't just for Windows Server and just for Vista. We assumed that meant it would find its way to XP as well, though the spokesperson declined to be pressed further at that time.

A one-two punch involving a rollout of WS2K8 and XP SP3 in the first half of next year -- which is Microsoft's current plan -- could pave the way for a hardening of endpoint security on Windows networks, at least somewhat. Contributing to that hardening will be the inclusion of new cryptographic algorithms in the kernel, by means of Kernel Mode Cryptographic Module (KMCM). Coupled with access policies provided by NAP, admins could theoretically implement a new, second layer of policies for encrypted communications and authentication between network peers, provided by Triple-DES algorithms accessible through the kernel.

In other words, enterprises that previously have had trouble embracing the idea of deploying across-the-board encryption may feel more comfortable trying it out, now that KMCM is a baseline feature. It premiered in Windows 2000, and its first implementation in a Windows client was for the first edition of Vista.

Neosmart also discovered evidence of hardening of Windows' IP stack, including the inclusion of Microsoft's new "black hole router" detection scheme. Way back in 1990, the IETF implemented a way for routers to detect in advance the shortest path to send a large number of datagrams, without having to fragment them too seriously along the way. The plan was referred to as Path Maximum Transmission Unit (PMTU), with the objective being for sending routers to seek receiving routers that mangle fewer datagrams.

As it turned out, some receiving routers that were pegged by sending ones as PMTU members were responding to datagrams with "do not fragment" messages by simply throwing them out. These were referred to as "black hole routers," and have been a perennial plague to streaming operations. The new router detection scheme enables IP routers along the way to flag misbehaving PMTU candidates in advance and steer around them.

This is a feature that Microsoft has updated just last month, and which it might not have had to include with XP SP3 to please customers. So its inclusion is being treated as an indication there are developers at Microsoft who are still willing to treat XP seriously, perhaps extending its viable lifetime well into 2009.